@@ -164,25 +164,26 @@ Deprecated features

 For an up-to-date list of all deprecated options, see this wiki page:

 https://community.openvpn.net/openvpn/wiki/DeprecatedOptions

-- ``--key-method 1`` is deprecated in 2.4 and will be removed in 2.5.  Migrate

-  away from ``--key-method 1`` as soon as possible.  The recommended approach

-  is to remove the ``--key-method`` option from the configuration files, OpenVPN

-  will then use ``--key-method 2`` by default.  Note that this requires changing

-  the option in both the client and server side configs.

+- ``--key-method 1`` is deprecated in OpenVPN 2.4 and will be removed in v2.5.

+  Migrate away from ``--key-method 1`` as soon as possible.  The recommended

+  approach is to remove the ``--key-method`` option from the configuration

+  files, OpenVPN will then use ``--key-method 2`` by default.  Note that this

+  requires changing the option in both the client and server side configs.

-- ``--tls-remote`` is removed in 2.4, as indicated in the 2.3 man-pages.  Similar

-  functionality is provided via ``--verify-x509-name``, which does the same job in

-  a better way.

+- ``--tls-remote`` is removed in OpenVPN 2.4, as indicated in the v2.3

+  man-pages.  Similar functionality is provided via ``--verify-x509-name``,

+  which does the same job in a better way.

-- ``--compat-names`` and ``--no-name-remapping`` were deprecated in 2.3 and will

-  be removed in 2.5.  All scripts and plug-ins depending on the old non-standard

-  X.509 subject formatting must be updated to the standardized formatting.  See

-  the man page for more information.

+- ``--compat-names`` and ``--no-name-remapping`` were deprecated in OpenVPN 2.3

+  and will be removed in v2.5.  All scripts and plug-ins depending on the old

+  non-standard X.509 subject formatting must be updated to the standardized

+  formatting.  See the man page for more information.

-- ``--no-iv`` is deprecated in 2.4 and will be removed in 2.5.

+- ``--no-iv`` is deprecated in OpenVPN 2.4 and will be removed in v2.5.

-- ``--keysize`` is deprecated and will be removed in v2.6 together

-  with the support of ciphers with cipher block size less than 128 bits.

+- ``--keysize`` is deprecated in OpenVPN 2.4 and will be removed in v2.6

+  together with the support of ciphers with cipher block size less than

+  128-bits.

 - ``--comp-lzo`` is deprecated in OpenVPN 2.4.  Use ``--compress`` instead.

@@ -317,7 +318,7 @@ Maintainer-visible changes

   files instead of older ones, to provide a unified behaviour across systemd

   based Linux distributions.

-- With OpenVPN v2.4, the project has moved over to depend on and actively use

+- With OpenVPN 2.4, the project has moved over to depend on and actively use

   the official C99 standard (-std=c99).  This may fail on some older compiler/libc

   header combinations.  In most of these situations it is recommended to

   use -std=gnu99 in CFLAGS.  This is known to be needed when doing

@@ -339,7 +340,7 @@ New features

 Security

 --------

 - CVE-2017-7522: Fix ``--x509-track`` post-authentication remote DoS

-  A client could crash a 2.4+ mbedtls server, if that server uses the

+  A client could crash a v2.4+ mbedtls server, if that server uses the

   ``--x509-track`` option and the client has a correct, signed and unrevoked

   certificate that contains an embedded NUL in the certificate subject.

   Discovered and reported to the OpenVPN security team by Guido Vranken.

@@ -396,7 +397,7 @@ User-visible Changes

 Bugfixes

 --------

 - Fix fingerprint calculation in mbed TLS builds.  This means that mbed TLS users

-  of OpenVPN 2.4.0, 2.4.1 and 2.4.2 that rely on the values of the

+  of OpenVPN 2.4.0, v2.4.1 and v2.4.2 that rely on the values of the

   ``tls_digest_*`` env vars, or that use ``--verify-hash`` will have to change

   the fingerprint values they check against.  The security impact of the

   incorrect calculation is very minimal; the last few bytes (max 4, typically

@@ -425,17 +426,18 @@ Version 2.4.2

 Bugfixes

 --------

-- Fix memory leak introduced in 2.4.1: if ``--remote-cert-tls`` is used, we leaked

-  some memory on each TLS (re)negotiation.

+- Fix memory leak introduced in OpenVPN 2.4.1: if ``--remote-cert-tls`` is

+  used, we leaked some memory on each TLS (re)negotiation.

 Security

 --------

-- Fix a pre-authentication denial-of-service attack on both clients and servers.

-  By sending a too-large control packet, OpenVPN 2.4.0 or 2.4.1 can be forced

-  to hit an ASSERT() and stop the process.  If ``--tls-auth`` or ``--tls-crypt``

-  is used, only attackers that have the ``--tls-auth`` or ``--tls-crypt`` key

-  can mount an attack. (OSTIF/Quarkslab audit finding 5.1, CVE-2017-7478)

+- Fix a pre-authentication denial-of-service attack on both clients and

+  servers.  By sending a too-large control packet, OpenVPN 2.4.0 or v2.4.1 can

+  be forced to hit an ASSERT() and stop the process.  If ``--tls-auth`` or

+  ``--tls-crypt`` is used, only attackers that have the ``--tls-auth`` or

+  ``--tls-crypt`` key can mount an attack.

+  (OSTIF/Quarkslab audit finding 5.1, CVE-2017-7478)

 - Fix an authenticated remote DoS vulnerability that could be triggered by

   causing a packet id roll over.  An attack is rather inefficient; a peer

@@ -1995,7 +1995,7 @@ could be either

 .B execve

 or 

 .B system. 

-As of OpenVPN v2.3, this flag is no longer accepted.  In most *nix environments the execve()

+As of OpenVPN 2.3, this flag is no longer accepted.  In most *nix environments the execve()

 approach has been used without any issues.

 Some directives such as \-\-up allow options to be passed to the external

@@ -2007,7 +2007,7 @@ To run scripts in Windows in earlier OpenVPN

 versions you needed to either add a full path to the script interpreter which can parse the

 script or use the

 .B system

-flag to run these scripts.  As of OpenVPN v2.3 it is now a strict requirement to have

+flag to run these scripts.  As of OpenVPN 2.3 it is now a strict requirement to have

 full path to the script interpreter when running non-executables files.

 This is not needed for executable files, such as .exe, .com, .bat or .cmd files.  For

 example, if you have a Visual Basic script, you must use this syntax now:

@@ -2202,7 +2202,7 @@ passwords, or key pass phrases anymore.  This has certain consequences,

 namely that using a password-protected private key will fail unless the

 .B \-\-askpass

 option is used to tell OpenVPN to ask for the pass phrase (this

-requirement is new in 2.3.7, and is a consequence of calling daemon()

+requirement is new in v2.3.7, and is a consequence of calling daemon()

 before initializing the crypto layer).

 Further, using

@@ -2475,7 +2475,7 @@ The

 parameter may be "lzo", "lz4", or empty.  LZO and LZ4

 are different compression algorithms, with LZ4 generally

 offering the best performance with least CPU usage.

-For backwards compatibility with OpenVPN versions before 2.4, use "lzo"

+For backwards compatibility with OpenVPN versions before v2.4, use "lzo"

 (which is identical to the older option "\-\-comp\-lzo yes").

 If the

@@ -3774,13 +3774,13 @@ option, this old formatting and remapping will be re-enabled again.  This is

 purely implemented for compatibility reasons when using older plug-ins or

 scripts which does not handle the new formatting or UTF-8 characters.

 .IP

-In OpenVPN v2.3 the formatting of these fields changed into a more

+In OpenVPN 2.3 the formatting of these fields changed into a more

 standardised format.  It now looks like:

 .IP

 .B

 C=US, L=Somewhere, CN=John Doe, emailAddress=john@example.com

 .IP

-The new default format in OpenVPN v2.3 also does not do the character remapping

+The new default format in OpenVPN 2.3 also does not do the character remapping

 which happened earlier.  This new format enables proper support for UTF\-8

 characters in the usernames, X.509 Subject fields and Common Name variables and

 it complies to the RFC 2253, UTF\-8 String Representation of Distinguished

@@ -3800,7 +3800,7 @@ carriage-return. no-remapping is only available on the server side.

 .B Please note:

 This option is immediately deprecated.  It is only implemented

 to make the transition to the new formatting less intrusive.  It will be

-removed in OpenVPN v2.5.  So please update your scripts/plug-ins where necessary.

+removed in OpenVPN 2.5.  So please update your scripts/plug-ins where necessary.

 .\"*********************************************************

 .TP

 .B \-\-no\-name\-remapping

@@ -3816,7 +3816,7 @@ It ensures compatibility with server configurations using the

 option.

 .B Please note:

-This option is now deprecated.  It will be removed in OpenVPN v2.5.

+This option is now deprecated.  It will be removed in OpenVPN 2.5.

 So please make sure you support the new X.509 name formatting

 described with the

 .B \-\-compat\-names

@@ -4226,8 +4226,8 @@ will inherit the cipher of the peer if that cipher is different from the local

 .B \-\-cipher

 setting, but the peer cipher is one of the ciphers specified in

 .B \-\-ncp\-ciphers\fR.

-E.g. a non-NCP client (<=2.3, or with \-\-ncp\-disabled set) connecting to a

-NCP server (2.4+) with "\-\-cipher BF-CBC" and "\-\-ncp-ciphers

+E.g. a non-NCP client (<=v2.3, or with \-\-ncp\-disabled set) connecting to a

+NCP server (v2.4+) with "\-\-cipher BF-CBC" and "\-\-ncp-ciphers

 AES-256-GCM:AES-256-CBC" set can either specify "\-\-cipher BF-CBC" or

 "\-\-cipher AES-256-CBC" and both will work.

@@ -5037,8 +5037,8 @@ response.

 (required) is a file in OpenVPN static key format which can be generated by

 .B \-\-genkey

-Older versions (up to 2.3) supported a freeform passphrase file.

-This is no longer supported in newer versions (2.4+).

+Older versions (up to OpenVPN 2.3) supported a freeform passphrase file.

+This is no longer supported in newer versions (v2.4+).

 See the

 .B \-\-secret

@@ -5596,7 +5596,7 @@ Write key to

 .B file.

 .\"*********************************************************

 .SS TUN/TAP persistent tunnel config mode:

-Available with linux 2.4.7+.  These options comprise a standalone mode

+Available with Linux 2.4.7+.  These options comprise a standalone mode

 of OpenVPN which can be used to create and delete persistent tunnels.

 .\"*********************************************************

 .TP

@@ -5923,7 +5923,7 @@ flag.

 .TP

 .B \-\-dhcp\-release

 Ask Windows to release the TAP adapter lease on shutdown.

-This option has no effect now, as it is enabled by default starting with version 2.4.1.

+This option has no effect now, as it is enabled by default starting with OpenVPN 2.4.1.

 .\"*********************************************************

 .TP

 .B \-\-register\-dns

@@ -6206,7 +6206,7 @@ isprint() function to return true.

 .B \-\-client\-config\-dir filename as derived from common name or username:

 Alphanumeric, underbar ('_'), dash ('-'), and dot ('.') except for "." or 

-".." as standalone strings.  As of 2.0.1-rc6, the at ('@') character has

+".." as standalone strings.  As of v2.0.1-rc6, the at ('@') character has

 been added as well for compatibility with the common name character class.

 .B Environmental variable names:

@@ -110,7 +110,7 @@ tls-auth ta.key 1

 # Select a cryptographic cipher.

 # If the cipher option is used on the server

 # then you must also specify it here.

-# Note that 2.4 client/server will automatically

+# Note that v2.4 client/server will automatically

 # negotiate AES-256-GCM in TLS mode.

 # See also the ncp-cipher option in the manpage

 cipher AES-256-CBC

@@ -246,13 +246,13 @@ tls-auth ta.key 0 # This file is secret

 # Select a cryptographic cipher.

 # This config item must be copied to

 # the client config file as well.

-# Note that 2.4 client/server will automatically

+# Note that v2.4 client/server will automatically

 # negotiate AES-256-GCM in TLS mode.

 # See also the ncp-cipher option in the manpage

 cipher AES-256-CBC

 # Enable compression on the VPN link and push the

-# option to the client (2.4+ only, for earlier

+# option to the client (v2.4+ only, for earlier

 # versions see below)

 ;compress lz4-v2

 ;push "compress lz4-v2"

@@ -6187,7 +6187,7 @@ add_option(struct options *options,

     else if (streq(p[0], "max-routes") && !p[2])

     {

         msg(M_WARN, "DEPRECATED OPTION: --max-routes option ignored."

-            "The number of routes is unlimited as of version 2.4. "

+            "The number of routes is unlimited as of OpenVPN 2.4. "

             "This option will be removed in a future version, "

             "please remove it from your configuration.");

     }

@@ -7018,7 +7018,7 @@ add_option(struct options *options,

         VERIFY_PERMISSION(OPT_P_GENERAL);

         if (streq(p[1], "env"))

         {

-            msg(M_INFO, "NOTE: --win-sys env is default from OpenVPN v2.3.	 "

+            msg(M_INFO, "NOTE: --win-sys env is default from OpenVPN 2.3.	 "

                 "This entry will now be ignored.  "

                 "Please remove this entry from your configuration file.");

         }

@@ -7864,7 +7864,7 @@ add_option(struct options *options,

             msg(msglevel, "you cannot use --compat-names with --verify-x509-name");

             goto err;

         }

-        msg(M_WARN, "DEPRECATED OPTION: --compat-names, please update your configuration. This will be removed in OpenVPN v2.5.");

+        msg(M_WARN, "DEPRECATED OPTION: --compat-names, please update your configuration. This will be removed in OpenVPN 2.5.");

         compat_flag(COMPAT_FLAG_SET | COMPAT_NAMES);

 #if P2MP_SERVER

         if (p[1] && streq(p[1], "no-remapping"))

@@ -7880,7 +7880,7 @@ add_option(struct options *options,

             msg(msglevel, "you cannot use --no-name-remapping with --verify-x509-name");

             goto err;

         }

-        msg(M_WARN, "DEPRECATED OPTION: --no-name-remapping, please update your configuration. This will be removed in OpenVPN v2.5.");

+        msg(M_WARN, "DEPRECATED OPTION: --no-name-remapping, please update your configuration. This will be removed in OpenVPN 2.5.");

         compat_flag(COMPAT_FLAG_SET | COMPAT_NAMES);

         compat_flag(COMPAT_FLAG_SET | COMPAT_NO_NAME_REMAPPING);

 #endif